Analysis
-
max time kernel
147s -
max time network
166s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07-09-2021 06:11
Static task
static1
Behavioral task
behavioral1
Sample
bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe
Resource
win7-en
General
-
Target
bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe
-
Size
47KB
-
MD5
268c50b286c5e44c889b6c5489e9d337
-
SHA1
addbcadf2d4b2d59ff434deed3ce5605ec7dd35e
-
SHA256
bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea
-
SHA512
71c240d4598131e1f78ae09042b7e4883713d5b94001cf3634543941e1cffa3efa8890d3c75d8b10f9ec368e3c4fb27fdd929228120ad1eaaff32159fa8a25f6
Malware Config
Extracted
njrat
0.7d
HacKed
joker3.publicvm.com:1177
15ead12f68fe505287e8638b19794a4d
-
reg_key
15ead12f68fe505287e8638b19794a4d
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
Executes dropped EXE 1 IoCs
Processes:
yh0v0end.exepid process 3028 yh0v0end.exe -
Modifies Windows Firewall 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exedescription pid process target process PID 800 set thread context of 2392 800 bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2176 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exeRegAsm.exepid process 800 bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe 800 bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe 2392 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exeRegAsm.exetaskkill.exeyh0v0end.exedescription pid process Token: SeDebugPrivilege 800 bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe Token: SeDebugPrivilege 2392 RegAsm.exe Token: SeDebugPrivilege 2176 taskkill.exe Token: SeDebugPrivilege 3028 yh0v0end.exe Token: 33 3028 yh0v0end.exe Token: SeIncBasePriorityPrivilege 3028 yh0v0end.exe Token: 33 3028 yh0v0end.exe Token: SeIncBasePriorityPrivilege 3028 yh0v0end.exe Token: 33 3028 yh0v0end.exe Token: SeIncBasePriorityPrivilege 3028 yh0v0end.exe Token: 33 3028 yh0v0end.exe Token: SeIncBasePriorityPrivilege 3028 yh0v0end.exe Token: 33 3028 yh0v0end.exe Token: SeIncBasePriorityPrivilege 3028 yh0v0end.exe Token: 33 3028 yh0v0end.exe Token: SeIncBasePriorityPrivilege 3028 yh0v0end.exe Token: 33 3028 yh0v0end.exe Token: SeIncBasePriorityPrivilege 3028 yh0v0end.exe Token: 33 3028 yh0v0end.exe Token: SeIncBasePriorityPrivilege 3028 yh0v0end.exe Token: 33 3028 yh0v0end.exe Token: SeIncBasePriorityPrivilege 3028 yh0v0end.exe Token: 33 3028 yh0v0end.exe Token: SeIncBasePriorityPrivilege 3028 yh0v0end.exe Token: 33 3028 yh0v0end.exe Token: SeIncBasePriorityPrivilege 3028 yh0v0end.exe Token: 33 3028 yh0v0end.exe Token: SeIncBasePriorityPrivilege 3028 yh0v0end.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exepid process 2392 RegAsm.exe 2392 RegAsm.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exeRegAsm.exeDllHost.execmd.exeyh0v0end.exedescription pid process target process PID 800 wrote to memory of 2036 800 bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe RegAsm.exe PID 800 wrote to memory of 2036 800 bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe RegAsm.exe PID 800 wrote to memory of 2036 800 bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe RegAsm.exe PID 800 wrote to memory of 2392 800 bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe RegAsm.exe PID 800 wrote to memory of 2392 800 bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe RegAsm.exe PID 800 wrote to memory of 2392 800 bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe RegAsm.exe PID 800 wrote to memory of 2392 800 bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe RegAsm.exe PID 800 wrote to memory of 2392 800 bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe RegAsm.exe PID 800 wrote to memory of 2392 800 bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe RegAsm.exe PID 800 wrote to memory of 2392 800 bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe RegAsm.exe PID 800 wrote to memory of 2392 800 bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe RegAsm.exe PID 2392 wrote to memory of 4016 2392 RegAsm.exe cmstp.exe PID 2392 wrote to memory of 4016 2392 RegAsm.exe cmstp.exe PID 2392 wrote to memory of 4016 2392 RegAsm.exe cmstp.exe PID 1116 wrote to memory of 3704 1116 DllHost.exe cmd.exe PID 1116 wrote to memory of 3704 1116 DllHost.exe cmd.exe PID 1116 wrote to memory of 3704 1116 DllHost.exe cmd.exe PID 3704 wrote to memory of 3028 3704 cmd.exe yh0v0end.exe PID 3704 wrote to memory of 3028 3704 cmd.exe yh0v0end.exe PID 3704 wrote to memory of 3028 3704 cmd.exe yh0v0end.exe PID 1116 wrote to memory of 2176 1116 DllHost.exe taskkill.exe PID 1116 wrote to memory of 2176 1116 DllHost.exe taskkill.exe PID 1116 wrote to memory of 2176 1116 DllHost.exe taskkill.exe PID 3028 wrote to memory of 748 3028 yh0v0end.exe netsh.exe PID 3028 wrote to memory of 748 3028 yh0v0end.exe netsh.exe PID 3028 wrote to memory of 748 3028 yh0v0end.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe"C:\Users\Admin\AppData\Local\Temp\bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\dwwkqwxf.inf3⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\temp\yh0v0end.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\temp\yh0v0end.exeC:\Windows\temp\yh0v0end.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\temp\yh0v0end.exe" "yh0v0end.exe" ENABLE4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\yh0v0end.exeMD5
2e5cc82bf3792613e217cb71100d42d8
SHA1d53f73ec6c9466baff5b00c9618d1def74d00337
SHA256d325902342e6787594c11b1be01afffb4bf8d839f21ae03a76e16f37a55e4240
SHA5123b20491ac43445a326a8cac6919d387d2921cd3e45e5d2814b4a128e58baed4ba88972b9c1c7ed4b21b58f2a4ab9c09f6cc1735b4e494336dd2efd5043eeecb6
-
C:\Windows\temp\dwwkqwxf.infMD5
48b9d834bd8b5e211e75fcd16cb7f918
SHA1668be1330d5abdb8f471377ecbba91e00a0993fc
SHA256a2a16d8c2e9d63147c2bfdf0a907a967df56dd0f4eab3007115e3d028a590931
SHA51280a051fb19ce0d22f6b7ad9f94ae9c2454089c843382a54fde95b6453f2c2f0c1d381eda13904721aa13a53983cf4858ffb2c1ef0c2ec19c28b8fd589735d10e
-
C:\Windows\temp\yh0v0end.exeMD5
2e5cc82bf3792613e217cb71100d42d8
SHA1d53f73ec6c9466baff5b00c9618d1def74d00337
SHA256d325902342e6787594c11b1be01afffb4bf8d839f21ae03a76e16f37a55e4240
SHA5123b20491ac43445a326a8cac6919d387d2921cd3e45e5d2814b4a128e58baed4ba88972b9c1c7ed4b21b58f2a4ab9c09f6cc1735b4e494336dd2efd5043eeecb6
-
memory/748-140-0x0000000000000000-mapping.dmp
-
memory/800-120-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/800-118-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/800-121-0x0000000004F50000-0x0000000004F5B000-memory.dmpFilesize
44KB
-
memory/800-122-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/800-116-0x00000000054E0000-0x00000000054E1000-memory.dmpFilesize
4KB
-
memory/800-114-0x00000000006F0000-0x00000000006F1000-memory.dmpFilesize
4KB
-
memory/800-119-0x0000000004FB0000-0x0000000004FB1000-memory.dmpFilesize
4KB
-
memory/800-117-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/2176-138-0x0000000000000000-mapping.dmp
-
memory/2392-124-0x0000000000408F5E-mapping.dmp
-
memory/2392-132-0x0000000005250000-0x000000000574E000-memory.dmpFilesize
5.0MB
-
memory/2392-131-0x0000000005250000-0x000000000574E000-memory.dmpFilesize
5.0MB
-
memory/2392-123-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/3028-135-0x0000000000000000-mapping.dmp
-
memory/3028-139-0x0000000001810000-0x0000000001811000-memory.dmpFilesize
4KB
-
memory/3028-141-0x0000000001811000-0x0000000001812000-memory.dmpFilesize
4KB
-
memory/3704-134-0x0000000000000000-mapping.dmp
-
memory/4016-129-0x0000000000000000-mapping.dmp